arbazkhan971/secure
skills/secure/SKILL.md
Security audit. STRIDE + OWASP Top 10 + 4 red-team personas. Code evidence required.
$ install --global
skillsauthnpx skillsauth add arbazkhan971/godmode secureInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 26, 2026, 7:38 AM34.0s2 files scanned
SKILL.md
- name:
- secure
- description:
- >
Activate When
/godmode:secure, "security audit", "vulnerabilities"- "harden", "pentest", "threat model"
- "sql injection", "owasp", "owasp top 10", "vulnerability scan"
- "check owasp", "owasp issues", "security issues"
Workflow
1. Recon
# Dependency audit
npm audit 2>/dev/null || pip audit 2>/dev/null \
|| cargo audit 2>/dev/null
# Scan for hardcoded secrets
grep -rn 'SECRET\|API_KEY\|PASSWORD\|PRIVATE_KEY' \
--include="*.ts" --include="*.py" --include="*.go" \
--include="*.env" src/ 2>/dev/null | head -20
# List all public routes
grep -rn "router\.\(get\|post\|put\|delete\)" \
--include="*.ts" --include="*.js" -l 2>/dev/null
2. Asset Map
List each: DB (type+version), auth mechanism
(JWT/session/OAuth + expiry), external APIs,
all <input>/<form> elements, public routes.
3. Trust Boundaries
Draw: client<->server, public<->auth, user<->admin, svc<->svc, CI<->prod, internal<->external. Each boundary = attack surface.
4. STRIDE Analysis
For each boundary: Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation.
5. Iterate
categories = OWASP_TOP_10 + STRIDE # 16 total
current_iteration = 0
WHILE untested categories remain:
current_iteration += 1
Pick untested category.
Priority: Injection > Broken Auth > XSS
> SSRF > IDOR > remaining.
Test as 4 personas:
P1: External (no auth)
P2: Insider (valid session)
P3: Supply Chain (malicious dep)
P4: Infrastructure (server access)
Each finding: file:line + exploit steps
+ severity + fix (code snippet).
Every 5 iters: print progress.
IF finding has code evidence from 1+ personas: KEEP
IF no code evidence from any persona: DISCARD
6. Red-Team Persona Voting
FOR each finding:
Each persona rates: EXPLOITABLE (1) or NOT (0)
Score = sum (0-4):
4/4 = CRITICAL (unanimous)
3/4 = HIGH (likely exploitable)
2/4 = MEDIUM (conditional)
1/4 = LOW (edge case)
0/4 = DISCARD (theoretical)
7. Report
Print: OWASP {N}/10, STRIDE {N}/6. {C}C {H}H {M}M {L}L.
PASS if 0 critical + 0 high. Else FAIL.
8. Auto-Fix (if --fix)
For Critical/High: fix -> commit -> run full test suite -> revert if ANY test breaks.
Findings Format
Every finding MUST use:
SEVERITY|FILE:LINE|DESCRIPTION|FIX
Examples:
CRITICAL|src/api/auth.ts:42|SQL injection via
unsanitized email|Use parameterized query
HIGH|src/middleware/cors.ts:8|CORS wildcard|
Set explicit allowed origins
MEDIUM|src/utils/crypto.ts:15|Math.random() for
session token|Use crypto.randomBytes(32)
TSV Logging
Log to .godmode/security-findings.tsv:
iteration\tcategory\tpersona\tseverity\tfile_line\tdescription\tfix\tstatus\tvotes
Quality Targets
- Critical CVEs in deps: <1 allowed
- SAST scan: <5min per 100KB source
- Hardcoded secrets: <1 detected per scan
Hard Rules
- Inherits Default Activations per
SKILL.md §14. Principles prelude, pre-commit audit, terse/stdio/tokens, DispatchContext validation, Progressive Disclosure routing, discard cost hierarchy all fire by default. - Every finding: file:line + exploit + proof.
- Cover all OWASP Top 10 x 4 personas = 40 minimum.
- Never approve with Critical findings open.
- No code evidence from any persona = DISCARD.
- Auto-fix must run full test suite after each fix.
- Never ask to continue. Loop autonomously.
Keep/Discard Discipline
KEEP if: file:line evidence AND 1+ persona
rates EXPLOITABLE AND steps reproducible
DISCARD if: no code evidence OR 0/4 votes
OR duplicates existing finding
Every discard logged with reason.
Overfitting Prevention
Every finding must be exploitable in the general case, not only in this specific commit state. If the finding depends on a transient condition → classify as noise.
Stop Conditions
STOP when FIRST of:
- All OWASP + STRIDE categories tested
- max_iterations reached
- 3 consecutive boundaries produce 0 findings
AND coverage >80%
- >5 discards with no actionable replacements
Error Recovery
IF category produces no findings after analysis:
log NO_FINDING with justification, move on
IF scanning tool fails:
retry once, then fall back to manual review
IF finding cannot be reproduced:
downgrade to INFO, tag UNVERIFIED
Max 2 re-verification attempts
Output Format
Print: Secure: OWASP {N}/10, STRIDE {N}/6. {findings} findings. {kept} kept, {discarded} discarded. Status: {DONE|PARTIAL}.
Related Skills
arbazkhan971/webperf
development
VerifiedTrustedCommunity
Web performance optimization. Lighthouse, bundle analysis, code splitting, image optimization, critical CSS, fonts, service workers, CDN.
10SKILL.mdUpdated Apr 26, 2026
arbazkhan971/webhook
development
VerifiedTrustedCommunity
Webhook design, delivery, retry, HMAC verification, event subscriptions, dead letter queues.
10SKILL.mdUpdated Apr 26, 2026
arbazkhan971/vue
development
VerifiedTrustedCommunity
Vue.js mastery. Composition API, Pinia, Vue Router, Nuxt SSR/SSG, Vite optimization, testing.
10SKILL.mdUpdated Apr 26, 2026
arbazkhan971/verify
development
VerifiedTrustedCommunity
Evidence gate. Run command, read full output, confirm or deny claim. No trust, only proof.
10SKILL.mdUpdated Apr 26, 2026